From d39b075302c27f77b2de413697a5aacb034d8286 Mon Sep 17 00:00:00 2001
From: clubby789 <jamie@hill-daniel.co.uk>
Date: Thu, 4 Mar 2021 17:12:01 +0000
Subject: [PATCH] Enable `process_vm_readv` and `process_vm_writev` for kernel
 > 4.8

These syscalls were disabled in #18971
due to them requiring CAP_PTRACE. CAP_PTRACE was blocked by default due
to a ptrace related exploit. This has been patched in the Linux kernel
(version 4.8) and thus `ptrace` has been re-enabled. However, these
associated syscalls seem to have been left behind. This commit brings
them in line with `ptrace`, and re-enables it for kernel > 4.8.

Signed-off-by: clubby789 <jamie@hill-daniel.co.uk>
---
 profiles/seccomp/default.json     | 2 ++
 profiles/seccomp/default_linux.go | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 4213799ddb..786e5658ff 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -401,6 +401,8 @@
 		},
 		{
 			"names": [
+				"process_vm_readv",
+				"process_vm_writev",
 				"ptrace"
 			],
 			"action": "SCMP_ACT_ALLOW",
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
index 879eb88c64..32778e5116 100644
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -390,7 +390,11 @@ func DefaultProfile() *Seccomp {
 			Args:   []*specs.LinuxSeccompArg{},
 		},
 		{
-			Names:  []string{"ptrace"},
+			Names: []string{
+				"process_vm_readv",
+				"process_vm_writev",
+				"ptrace",
+			},
 			Action: specs.ActAllow,
 			Includes: Filter{
 				MinKernel: &KernelVersion{4, 8},